Greetings Kerberos-users,
I've been successfully using OTP and pkinit for the past year or so. Within
the last week, or so, it has started to fail with:
client:
$ /usr/bin/kinit -n -c /tmp/.kerberos_cache
kinit: Preauthentication failed while getting initial credentials
KDC:
KDC_RETURN_PADATA: W
Hi Ken!
Thanks for the reply and the comments.
On Fri, Jan 5, 2024 at 9:02 AM Ken Hornstein wrote:
> >Krb5 devs,
>
> I'm not an official MIT krb5 developer, so I can't speak for them. But
> in my experience things like this tend to be the most successful when they
> are submitted as pull reque
On Wed, Apr 26, 2023 at 11:41 AM Matt Zagrabelny wrote:
> On Wed, Apr 26, 2023 at 11:29 AM Ken Hornstein
> wrote:
>
>
> > It does occur to me a useful addition to kinit might be a flag that
> > means "authenticate using anonymous PKINIT and then use those
> > credentials as a FAST armour credent
On Wed, Apr 26, 2023 at 11:29 AM Ken Hornstein wrote:
>
> >Since I am currently only interested in anonymous auth, I thought I
> >could skip that directive. But alas:
>
> Right, so, here's where my limited knowledge of FAST comes into play.
>
> As I understand it, you need to be able to use a trus
[Probably solved!]
On Wed, Apr 26, 2023 at 10:12 AM Matt Zagrabelny wrote:
>
> Whoops. Looks like I need:
>
> sudo apt install krb5-pkinit
Fool me once shame on me, fool me twice shame on me!
I also neglected to add the krb5-otp package to the KDC server.
Now I get:
$ kdestroy
$ kinit -n -c /
Hi Ken, Greg, and BuzzSaw,
On Tue, Apr 25, 2023 at 7:02 PM Ken Hornstein wrote:
>
> >Making progress... but still need some pointers.
> >[...]
>
> Remember when I said setting up PKINIT is about as much fun as getting a
> punch in the face from John Cena? Well, you're about to discover what
> I
Making progress... but still need some pointers.
On Tue, Apr 25, 2023 at 4:01 PM BuzzSaw Code wrote:
>
> You don't need or want to know the anonymous principal's password -
> you should use randkey. Getting a password prompt for those creds
> means something is missing in the config.
OK. Agreed
Hi BuzzSaw,
Thanks for the reply!
On Tue, Apr 25, 2023 at 1:33 PM BuzzSaw Code wrote:
>
> What we did:
> - in your kdc.conf:
>
> [otp]
>DEFAULT = {
> server = localhost6:1812
> secret = secrettfile
> strip_realm = true
>}
>
> This assumes your kdc runs a local RAD
Hi Ken!
On Mon, Apr 24, 2023 at 5:25 PM Ken Hornstein wrote:
>
> >make it look like you can put the secret directly into the
> >configuration file. There seems to be a little bit of disconnect
> >between those two parts of the docs. I just wanted to point it out if
> >it is helpful.
>
> It looks
Greetings Kerberos folks,
I am attempting to understand a bit more of the OTP support in MIT's
Kerberos implementation.
I'm running Debian stable:
ii krb5-kdc 1.18.3-6+deb11u3
I'm looking at the docs at:
https://web.mit.edu/kerberos/krb5-1.13/doc/admin/conf_files/kdc_conf.html#otp
The
On Tue, Feb 8, 2022 at 5:03 PM Dameon Wagner
wrote:
>
> Armed with that information, the most likely solution would be to
> extract a fresh keytab (using either the kadmin "ktadd" subcommand, or
> the handy `k5srvutil` command).
>
Thanks for the detailed instructions, Dameon!
Do you know why pe
On Tue, Feb 8, 2022 at 11:54 AM Matt Zagrabelny wrote:
> Greetings,
>
> I'm experiencing a failure between a GSS enabled Postgresql server and my
> CLI client.
>
> To my knowledge nothing has changed on the system to create this failure.
> I did modify some puppet configs, but according to the pu
Greetings,
I'm experiencing a failure between a GSS enabled Postgresql server and my
CLI client.
To my knowledge nothing has changed on the system to create this failure. I
did modify some puppet configs, but according to the puppet log output (and
stat'ing /etc/postgresql-common/krb5.keytab) fil
13 matches
Mail list logo